Publications

Microsoft's Open Specification Promise: No Assurance for GPL

There has been much discussion in the free software community and in
the press about the inadequacy of Microsoft's Office Open XML (OOXML)
as a standard, including good analysis of some of the shortcomings of
Microsoft's Open Specification Promise (OSP), a promise that is
supposed to protect projects from patent risk. Nonetheless, following the
close of the ISO-BRM meeting in Geneva, SFLC's clients and colleagues
have continued to express uncertainty as to whether the OSP would
adequately apply to implementations licensed under the GNU General
Public License (GPL). In response to these requests for
clarification, we publicly conclude that the OSP provides no assurance
to GPL developers and that it is unsafe to rely upon the OSP for any
free software implementation, whether under the GPL or another free
software license.

Irrevocable but Only for Now

Microsoft makes its promise “irrevocably,” but upon
careful reading of the entire OSP, this promise is weakened
considerably in the definition of Covered Specifications. In that
provision, Microsoft clarifies that:

New versions of previously covered specifications will be separately
considered for addition to the list.

Because of this narrow definition of the covered specifications, no
future versions of any of the specifications are guaranteed to be
covered under the OSP. Each new version is subject to Microsoft's
ongoing discretion on a case by case basis. In other words, every
time a specification changes, Microsoft can effectively revoke the OSP
as it had applied to previous versions of that same specification.
Microsoft states that it will commit to renewal of the promise for
future versions of specifications subject to standardizing activity
“to the extent that Microsoft is participating in those
efforts,” which means that Microsoft reserves the right to
cancel the promise with respect even to standardized specifications,
by merely withdrawing from the relevant standard-setting workgroup or
activity. While technically an irrevocable promise, in practice the
OSP is good only for today.

The OSP Covers Specifications, Not Code

The OSP covers any of the Covered Specifications, and Microsoft's
promise applies to “full or partial implementation,”
according to its FAQ, but Microsoft also states:

The OSP does not apply to any work that you do beyond the scope of
the covered specification(s).

This statement clarifies the qualification in the very first
sentence of the OSP that the promise applies only “to the extent
it conforms to a Covered Specification.” The OSP will apply to
implementations of the specifications, but only to the extent that
such code is used to implement the specification. Any code that
implements the specification may also do other things in other
contexts, so in effect the OSP does not cover any actual code, only
some uses of code. Free software is software that all users have a
right to copy, modify and redistribute, and as Microsoft points out in
the OSP, there is no sublicensing of rights under it. So any code
written in reliance on the OSP is covered by the promise only so long
as it is not copied into a program that does something other than
implement the specification. This is true even if the code has not
otherwise been modified, and code that conforms to the specification
cannot be modified if the resulting modified code does not conform.
Therefore the OSP doesn't permit free software implementation: it
permits implementation under free software licenses so long as the
resulting code isn't used freely.

No Consistency with the GPL

The OSP cannot be relied upon by GPL developers for their
implementations not because its provisions conflict with GPL, but
because it does not provide the freedom that the GPL requires.
Relying on the OSP is unsafe because new versions of specifications
could be excluded from the OSP and because the resulting code could
not safely be used outside a very limited field of use defined by
Microsoft. GPL developers, with their special sensitivity to issues
of preserving downstream freedom, will be unable to rely on the OSP
with confidence.

In its FAQ regarding the OSP, Microsoft confuses the issue further,
saying:

Because the General Public License (GPL) is not universally
interpreted the same way by everyone, we can't give anyone a legal
opinion about how our language relates to the GPL or other OSS
licenses, but based on feedback from the open source community we
believe that a broad audience of developers can implement the
specification(s).

While not attempting to clarify the text of the OSP to indicate
compatibility with the GPL or provide a safe harbor through its
guidance materials, Microsoft wrongly blames the free software legal
community for Microsoft's failure to present a promise that satisfies
the requirements of the GPL. It is true that a broad audience of
developers could implement the specifications, but they would be
unable to be certain that implementations based on the latest versions
of the specifications would be safe from attack. They would also be
unable to distribute their code for any type of use, as is integral to
the GPL and to all free software.

As the final period for consideration of OOXML by ISO elapses, SFLC
recommends against the establishment of OOXML as an international
standard and cautions GPL implementers not to rely on the
OSP.1